| … | |
… | |
| 215 | (L<http://cbor.schmorp.de/value-sharing>), as without decoder support, the |
215 | (L<http://cbor.schmorp.de/value-sharing>), as without decoder support, the |
| 216 | resulting data structure might be unusable. |
216 | resulting data structure might be unusable. |
| 217 | |
217 | |
| 218 | Detecting shared values incurs a runtime overhead when values are encoded |
218 | Detecting shared values incurs a runtime overhead when values are encoded |
| 219 | that have a reference counter large than one, and might unnecessarily |
219 | that have a reference counter large than one, and might unnecessarily |
| 220 | increase the encoded size, as potentially shared values are encode as |
220 | increase the encoded size, as potentially shared values are encoded as |
| 221 | shareable whether or not they are actually shared. |
221 | shareable whether or not they are actually shared. |
| 222 | |
222 | |
| 223 | At the moment, only targets of references can be shared (e.g. scalars, |
223 | At the moment, only targets of references can be shared (e.g. scalars, |
| 224 | arrays or hashes pointed to by a reference). Weirder constructs, such as |
224 | arrays or hashes pointed to by a reference). Weirder constructs, such as |
| 225 | an array with multiple "copies" of the I<same> string, which are hard but |
225 | an array with multiple "copies" of the I<same> string, which are hard but |
| … | |
… | |
| 1057 | |
1057 | |
| 1058 | |
1058 | |
| 1059 | =head1 SECURITY CONSIDERATIONS |
1059 | =head1 SECURITY CONSIDERATIONS |
| 1060 | |
1060 | |
| 1061 | Tl;dr... if you want to decode or encode CBOR from untrusted sources, you |
1061 | Tl;dr... if you want to decode or encode CBOR from untrusted sources, you |
| 1062 | should start with a coder object created via C<new_safe>: |
1062 | should start with a coder object created via C<new_safe> (which implements |
|
|
1063 | the mitigations explained below): |
| 1063 | |
1064 | |
| 1064 | my $coder = CBOR::XS->new_safe; |
1065 | my $coder = CBOR::XS->new_safe; |
| 1065 | |
1066 | |
| 1066 | my $data = $coder->decode ($cbor_text); |
1067 | my $data = $coder->decode ($cbor_text); |
| 1067 | my $cbor = $coder->encode ($data); |
1068 | my $cbor = $coder->encode ($data); |
| … | |
… | |
| 1089 | even if all your C<THAW> methods are secure, encoding data structures from |
1090 | even if all your C<THAW> methods are secure, encoding data structures from |
| 1090 | untrusted sources can invoke those and trigger bugs in those. |
1091 | untrusted sources can invoke those and trigger bugs in those. |
| 1091 | |
1092 | |
| 1092 | So, if you are not sure about the security of all the modules you |
1093 | So, if you are not sure about the security of all the modules you |
| 1093 | have loaded (you shouldn't), you should disable this part using |
1094 | have loaded (you shouldn't), you should disable this part using |
| 1094 | C<forbid_objects>. |
1095 | C<forbid_objects> or using C<new_safe>. |
| 1095 | |
1096 | |
| 1096 | =item CBOR can be extended with tags that call library code |
1097 | =item CBOR can be extended with tags that call library code |
| 1097 | |
1098 | |
| 1098 | CBOR can be extended with tags, and C<CBOR::XS> has a registry of |
1099 | CBOR can be extended with tags, and C<CBOR::XS> has a registry of |
| 1099 | conversion functions for many existing tags that can be extended via |
1100 | conversion functions for many existing tags that can be extended via |
| 1100 | third-party modules (see the C<filter> method). |
1101 | third-party modules (see the C<filter> method). |
| 1101 | |
1102 | |
| 1102 | If you don't trust these, you should configure the "safe" filter function, |
1103 | If you don't trust these, you should configure the "safe" filter function, |
| 1103 | C<CBOR::XS::safe_filter>, which by default only includes conversion |
1104 | C<CBOR::XS::safe_filter> (C<new_safe> does this), which by default only |
| 1104 | functions that are considered "safe" by the author (but again, they can be |
1105 | includes conversion functions that are considered "safe" by the author |
| 1105 | extended by third party modules). |
1106 | (but again, they can be extended by third party modules). |
| 1106 | |
1107 | |
| 1107 | Depending on your level of paranoia, you can use the "safe" filter: |
1108 | Depending on your level of paranoia, you can use the "safe" filter: |
| 1108 | |
1109 | |
| 1109 | $cbor->filter (\&CBOR::XS::safe_filter); |
1110 | $cbor->filter (\&CBOR::XS::safe_filter); |
| 1110 | |
1111 | |
| … | |
… | |
| 1125 | the size of CBOR data you accept, or make sure then when your resources |
1126 | the size of CBOR data you accept, or make sure then when your resources |
| 1126 | run out, that's just fine (e.g. by using a separate process that can |
1127 | run out, that's just fine (e.g. by using a separate process that can |
| 1127 | crash safely). The size of a CBOR string in octets is usually a good |
1128 | crash safely). The size of a CBOR string in octets is usually a good |
| 1128 | indication of the size of the resources required to decode it into a Perl |
1129 | indication of the size of the resources required to decode it into a Perl |
| 1129 | structure. While CBOR::XS can check the size of the CBOR text (using |
1130 | structure. While CBOR::XS can check the size of the CBOR text (using |
| 1130 | C<max_size>), it might be too late when you already have it in memory, so |
1131 | C<max_size> - done by C<new_safe>), it might be too late when you already |
| 1131 | you might want to check the size before you accept the string. |
1132 | have it in memory, so you might want to check the size before you accept |
|
|
1133 | the string. |
| 1132 | |
1134 | |
| 1133 | As for encoding, it is possible to construct data structures that are |
1135 | As for encoding, it is possible to construct data structures that are |
| 1134 | relatively small but result in large CBOR texts (for example by having an |
1136 | relatively small but result in large CBOR texts (for example by having an |
| 1135 | array full of references to the same big data structure, which will all be |
1137 | array full of references to the same big data structure, which will all be |
| 1136 | deep-cloned during encoding by default). This is rarely an actual issue |
1138 | deep-cloned during encoding by default). This is rarely an actual issue |
| … | |
… | |
| 1149 | method. |
1151 | method. |
| 1150 | |
1152 | |
| 1151 | =item Resource-starving attacks: CPU en-/decoding complexity |
1153 | =item Resource-starving attacks: CPU en-/decoding complexity |
| 1152 | |
1154 | |
| 1153 | CBOR::XS will use the L<Math::BigInt>, L<Math::BigFloat> and |
1155 | CBOR::XS will use the L<Math::BigInt>, L<Math::BigFloat> and |
| 1154 | L<Math::BigRat> libraries to represent encode/decode bignums. These can |
1156 | L<Math::BigRat> libraries to represent encode/decode bignums. These can be |
| 1155 | be very slow (as in, centuries of CPU time) and can even crash your |
1157 | very slow (as in, centuries of CPU time) and can even crash your program |
| 1156 | program (and are generally not very trustworthy). See the next section for |
1158 | (and are generally not very trustworthy). See the next section on bignum |
| 1157 | details. |
1159 | security for details. |
| 1158 | |
1160 | |
| 1159 | =item Data breaches: leaking information in error messages |
1161 | =item Data breaches: leaking information in error messages |
| 1160 | |
1162 | |
| 1161 | CBOR::XS might leak contents of your Perl data structures in its error |
1163 | CBOR::XS might leak contents of your Perl data structures in its error |
| 1162 | messages, so when you serialise sensitive information you might want to |
1164 | messages, so when you serialise sensitive information you might want to |
